Windows Defender identifies PoshKeepass as trojan #132
Comments
|
This is a completely breaking issue for business use. |
|
Same here. The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer. Category: Trojan Description: This program is dangerous and executes commands from an attacker. Recommended action: Remove this software immediately. Items: |
|
I will look into this and see if I can reproduce, I suspect it has to do with the EncodeKeePassLib.ps1 which is not needed for the module to function. |
|
I found the culprit in the code the new windows defender definition does not like. The This method I suppose it does not like. $DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
$UncompressedFileBytes = New-Object Byte[](252312)
$DeflatedStream.Read($UncompressedFileBytes, 0, 252312) | Out-Null
[Reflection.Assembly]::Load($UncompressedFileBytes)I look at the compression rate and it was nothing to get exciting about. There is indeed a simple fix for this, I will try to get this published to the psgallery and github as soon as possible but in the meantime you can make this change to the Change the the following if block in its entirety to the following: (Line 3405) if(-not $KeePassAssemblyIsLoaded)
{
$Path = Resolve-Path ('{0}\bin\KeePassLib.dll' -f $PSScriptRoot)
Add-Type -Path $Path.Path
}The entire function should look like this: function Import-KPLibrary
{
[CmdletBinding()]
param()
process
{
Write-Debug -Message '[PROCESS] Checking if KeePassLib is already loaded.'
$LoadedAssemblies = [AppDomain]::CurrentDomain.GetAssemblies()
$KeePassAssembly = $LoadedAssemblies | Where-Object { $_.FullName -match "KeePassLib"}
if($KeePassAssembly)
{
$KeePassAssemblyInfo = @{
'Name' = $KeePassAssembly.FullName.Replace(' ','').Split(',')[0]
'Version' = $KeePassAssembly.FullName.Replace(' ','').Split(',')[1].Split('=')[1]
'Location' = $KeePassAssembly.Location
}
if($KeePassAssemblyInfo.Name -eq 'KeePassLib')
{
if($KeePassAssemblyInfo.Version -eq '2.30.0.15901')
{
Write-Verbose -Message ('KeePassLib has already been loaded, from: {0}.' -f $KeePassAssemblyInfo.Location)
Write-Debug -Message ('KeePassLib Assembly Name: {0}, Version: {1}' -f $KeePassAssemblyInfo.Name, $KeePassAssemblyInfo.Version)
$KeePassAssemblyIsLoaded = $true
}
else
{
Write-Debug -Message '[PROCESS] A KeePassLib Assembly is loaded but it does not match the required version: ''2.30.0.15901'''
Write-Debug -Message ('[PROCESS] Version Found: {0}' -f $KeePassAssemblyInfo.Version)
Write-Debug -Message '[PROCESS] Will continue to load the correct version.'
}
}
else
{
Write-Debug -Message '[PROCESS] No Loaded Assembly found for KeePassLib. Will Continue to load the Assembly.'
}
}
if(-not $KeePassAssemblyIsLoaded)
{
$Path = Resolve-Path ('{0}\bin\KeePassLib.dll' -f $PSScriptRoot)
Add-Type -Path $Path.Path
}
}
} |
|
@dizzi90 @tricksta123 published fixes to both github and ps gallery. let me know if you have further issues. Thanks for catching and posting this. |
|
Sorted now. Thanks John. 👍 |
|
I can add that MS has also fixed it from their end by whitelisting. Nothing beats fixing from both sides :) |
|
@dizzi90 great! Is there a link to see that it was whitelisted? |
Trojan:PowerShell/Pklotide.A
Level: Serious
Status: Quarantined
Category: Trojan
Affected files:
containerfile: C:\Program Files\WindowsPowerShell\Modules\PoShKeePass\2.0.4.0\PoShKeePass.psm1
file: C:\Program Files\WindowsPowerShell\Modules\PoShKeePass\2.0.4.0\PoShKeePass.psm1->(UTF-8)
Steps to reproduce:
Install through Install-Module
Run Windows Defender scan of C:\Program Files\WindowsPowerShell\Modules\PoShKeePass
The text was updated successfully, but these errors were encountered: